2218604 – (CVE-2023-3389) CVE-2023-3389 kernel: Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer

Bug 2218604 (CVE-2023-3389) - CVE-2023-3389 kernel: Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer

Summary: CVE-2023-3389 kernel: Racing a io_uring cancel poll request with a linked tim...

Keywords:
Status:	NEW
Alias:	CVE-2023-3389
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:	Murphy Zhou
Docs Contact:
URL:
Whiteboard:
Depends On:	2218610 2218611 2220934 2220935
Blocks:	2218602
TreeView+	depends on / blocked

Reported:	2023-06-29 15:33 UTC by Patrick Del Bello
Modified:	2023-11-03 09:56 UTC (History)
CC List:	46 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel’s io_uring functionality. This flaw allows a local user to crash the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-06-29 15:33:19 UTC

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.

Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.

We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).



https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=0e388fce7aec40992eadee654193cad345d62663
https://kernel.dance/4716c73b188566865bdd79c3a6709696a224ac04
https://kernel.dance/0e388fce7aec40992eadee654193cad345d62663
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=4716c73b188566865bdd79c3a6709696a224ac04
https://kernel.dance/ef7dfac51d8ed961b742218f526bd589f3900a59
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ef7dfac51d8ed961b742218f526bd589f3900a59

Comment 4 Alex 2023-07-06 14:54:36 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2220934]

Comment 7 Justin M. Forbes 2023-07-18 18:21:22 UTC

This was fixed for Fedora with the 6.0 kernel rebases.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
crwood
dbohanno
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
ldoskova
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
qzhao
rogbas
rrobaina
rvrbovsk
rysulliv
scweaver
tglozar
tyberry
vkumar
walters
wcosta
williams
wmealing
ycote
ymankad